Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

mGRE and NHRP code 4 (administratively prohibited)

Hello,

I am implementing a mGRE tunnel between 4 locations (routers):

r7200 - Hub and NHS = ip 10.0.78.1

r1841 - Spoke = 10.0.78.2

r1841 - Spoke = 10.0.78.3

r871 - Spoke = 10.0.78.4

the mGRE Tunnels are configure as follows:

r7200 - 10.0.78.1

interface Tunnel78

ip address 10.0.78.1 255.255.255.248

no ip redirects

ip nhrp authentication xxx

ip nhrp responder Loopback0

ip nhrp map multicast dynamic

ip nhrp network-id 78

ip nhrp holdtime 600

ip nhrp cache non-authoritative

tunnel source Loopback0

tunnel mode gre multipoint

end

r1841 - 10.0.78.2

interface Tunnel78

ip address 10.0.78.2 255.255.255.248

no ip redirects

ip mtu 1400

ip nhrp authentication xxx

ip nhrp map multicast 172.16.4.205

ip nhrp map 10.0.78.1 200.13.161.142

ip nhrp map multicast 200.13.161.142

ip nhrp network-id 78

ip nhrp holdtime 300

ip nhrp nhs 10.0.78.1

ip tcp adjust-mss 1360

tunnel source 172.16.4.206

tunnel mode gre multipoint

end

r1841 - 10.0.78.3

interface Tunnel78

ip address 10.0.78.3 255.255.255.248

no ip redirects

ip mtu 1400

ip nhrp authentication xxx

ip nhrp map multicast 172.16.4.205

ip nhrp map 10.0.78.1 200.13.161.142

ip nhrp map multicast 200.13.161.142

ip nhrp network-id 78

ip nhrp holdtime 300

ip nhrp nhs 10.0.78.1

ip nhrp cache non-authoritative

ip tcp adjust-mss 1360

tunnel source 172.16.4.58

tunnel mode gre multipoint

end

r871 - 10.0.78.4

interface Tunnel78

ip address 10.0.78.4 255.255.255.248

no ip redirects

ip mtu 1400

ip nhrp authentication xxx

ip nhrp map multicast 172.16.4.205

ip nhrp map 10.0.78.1 200.13.161.142

ip nhrp map multicast 200.13.161.142

ip nhrp network-id 78

ip nhrp holdtime 300

ip nhrp nhs 10.0.78.1

ip nhrp cache non-authoritative

ip tcp adjust-mss 1360

tunnel source 172.16.1.122

tunnel mode gre multipoint

end

The issue is happening between the 871 (10.0.78.4) and one of the 1841 (10.0.78.3), they can reach each other but not directly, and the "show ip nhrp brief" command show those entries as "incomplete"

r1841 - 10.0.78.3:

1841-IZALQUENO_StaTecla#show ip nh bri

   Target             Via                 NBMA               Mode      Intfc    Claimed

10.0.78.1/32       10.0.78.1       200.13.161.142   static      Tu78    <   >

10.0.78.2/32       10.0.78.2       172.16.4.206      dynamic  Tu78    <   >

10.0.78.3/32       10.0.78.3       172.16.4.58        dynamic  Tu78    <   >

10.0.78.4/32       10.0.78.4       incomplete

r871 - 10.0.78.4:

   Target             Via                 NBMA              Mode   Intfc   Claimed

10.0.78.1/32       10.0.78.1       200.13.161.142  static   Tu78    <   >

10.0.78.3/32       10.0.78.3       incomplete

When the entries are incomplete they do 2 hops:

Trace from 10.0.78.3 to 10.0.78.4

1841-IZALQUENO_StaTecla#trace 10.0.78.4

Type escape sequence to abort.

Tracing the route to 10.0.78.4

  1 10.0.78.1 0 msec 4 msec 0 msec

  2 10.0.78.4 8 msec *  4 msec

1841-IZALQUENO_StaTecla#

for some short moments the entries show themselves complete with the correct NBMA Adresses and the routers reach each other "directly" but after some minutes the "debug nhrp packet" starts showing up the error code(4) and the entries become incomplete...

I guess it has to be related...

The "debug nhrp packets" in the 10.0.78.3 shows:

Aug 22 08:59:54: NHRP: Send Resolution Request via Tunnel78 vrf 0, packet size: 82

Aug 22 08:59:54:  src: 10.0.78.3, dst: 10.0.78.4

Aug 22 08:59:54:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug 22 08:59:54:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug 22 08:59:54:  (M) flags: "router auth src-stable", reqid: 467

Aug 22 08:59:54:      src NBMA: 172.16.4.58

Aug 22 08:59:54:      src protocol: 10.0.78.3, dst protocol: 10.0.78.4

Aug 22 08:59:54:  (C-1) code: no error(0)

Aug 22 08:59:54:        prefix: 0, mtu: 1514, hd_time: 300

Aug 22 08:59:54:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

Aug 22 08:59:54: NHRP: Send Resolution Request via Tunnel78 vrf 0, packet size: 82

Aug 22 08:59:54:  src: 10.0.78.3, dst: 10.0.78.1

Aug 22 08:59:54:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug 22 08:59:54:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug 22 08:59:54:  (M) flags: "router auth src-stable", reqid: 467

Aug 22 08:59:54:      src NBMA: 172.16.4.58

Aug 22 08:59:54:      src protocol: 10.0.78.3, dst protocol: 10.0.78.4

Aug 22 08:59:54:  (C-1) code: no error(0)

Aug 22 08:59:54:        prefix: 0, mtu: 1514, hd_time: 300

Aug 22 08:59:54:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0

Aug 22 08:59:54: NHRP: Receive Resolution Reply via Tunnel0 vrf 0, packet size: 134

Aug 22 08:59:54:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug 22 08:59:54:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug 22 08:59:54:  (M) flags: "router auth dst-stable unique src-stable", reqid: 467

Aug 22 08:59:54:      src NBMA: 172.16.4.58

Aug 22 08:59:54:      src protocol: 10.0.78.3, dst protocol: 10.0.78.4

Aug 22 08:59:54:  (C-1) code: no error(0)

Aug 22 08:59:54:        prefix: 32, mtu: 1514, hd_time: 300

Aug 22 08:59:54:        addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0

Aug 22 08:59:54:        client NBMA: 172.16.1.122

Aug 22 08:59:54:        client protocol: 10.0.78.4

Aug 22 08:59:54: NHRP: Send Error Indication via Tunnel78 vrf 0, packet size: 326

Aug 22 08:59:54:  src: 10.0.78.3, dst: 10.0.78.4

Aug 22 08:59:54:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug 22 08:59:54:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug 22 08:59:54:  (M) error code: administratively prohibited(4), offset: 0

Aug 22 08:59:54:      src NBMA: 172.16.4.58

Aug 22 08:59:54:      src protocol: 10.0.78.3, dst protocol: 10.0.78.4

Aug 22 08:59:54:      Contents of error packet:

Aug 22 08:59:54:         00 01 08 00 00 00 00 00 00 FF 00 86 36 7D 00 3C

Aug 22 08:59:54:         01 02 04 00 04 04 F8 02 00 00 01 D3 AC 10 04 3A

Aug 22 08:59:54:         0A 00 4E 03 0A 00 4E 04 00 20 00 00 05 EA 01 2C

Aug 22 08:59:54:         04 00 04 00 AC 10 01 7A 0A 00 4E 04 80 03 00 14

Aug 22 08:59:54:         00 00 00 00 05 EA 01 2C 04 00 04 00 AC 10 01 7A

Aug 22 08:59:54: NHRP: Send Error Indication via Tunnel78 vrf 0, packet size: 326

Aug 22 08:59:54:  src: 10.0.78.3, dst: 10.0.78.1

Aug 22 08:59:54:  (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1

Aug 22 08:59:54:      shtl: 4(NSAP), sstl: 0(NSAP)

Aug 22 08:59:54:  (M) error code: administratively prohibited(4), offset: 0

Aug 22 08:59:54:      src NBMA: 172.16.4.58

Aug 22 08:59:54:      src protocol: 10.0.78.3, dst protocol: 10.0.78.4

Aug 22 08:59:54:      Contents of error packet:

Aug 22 08:59:54:         00 01 08 00 00 00 00 00 00 FF 00 86 36 7D 00 3C

Aug 22 08:59:54:         01 02 04 00 04 04 F8 02 00 00 01 D3 AC 10 04 3A

Aug 22 08:59:54:         0A 00 4E 03 0A 00 4E 04 00 20 00 00 05 EA 01 2C

Aug 22 08:59:54:         04 00 04 00 AC 10 01 7A 0A 00 4E 04 80 03 00 14

Aug 22 08:59:54:         00 00 00 00 05 EA 01 2C 04 00 04 00 AC 10 01 7A

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I would greatly appreciate your help, why is that the entries show incomplete after some short time?

why is it happening only between one of the 1841 and the 871 (they all are running advipservices)...?

If you need additional information plz ask, and thanks for reading the issue.

Regards

Wil

Everyone's tags (6)
802
Views
0
Helpful
0
Replies